Triage and/or Previ...
 
Notifications
Clear all

Triage and/or Preview Procedures

11 Posts
9 Users
0 Likes
904 Views
(@steves)
Posts: 12
Active Member
Topic starter
 

I have been tasked by the powers above to find a way of 'trimming' or 'filtering' our backlog. It seems like it will be an ominous and arduous task, but i wondered if anyone else incorporates a Triage or Preview process which will lead to items being filtered out that do not warrant an investigation? I know Triage and Preview are different, but how different? I have already been in contact with Harry Parsonage at Nottinghamshire about there Triage process. Is there a procedure or policy for a previewing stage that any LE agency uses?

Many thanks in advance

 
Posted : 21/05/2010 1:00 pm
(@cfunn)
Posts: 20
Eminent Member
 

Hi Steve,

Have you considered purchasing some new equipment to help you do this? Evidence Talks' SPEKTOR is a Forensic Triage Solution which takes the strain out of Forensic Triage. Have a look at www.evidencetalks.com or give us a call at 08451254400 for more info.

Cheers

David

I have been tasked by the powers above to find a way of 'trimming' or 'filtering' our backlog. It seems like it will be an ominous and arduous task, but i wondered if anyone else incorporates a Triage or Preview process which will lead to items being filtered out that do not warrant an investigation? I know Triage and Preview are different, but how different? I have already been in contact with Harry Parsonage at Nottinghamshire about there Triage process. Is there a procedure or policy for a previewing stage that any LE agency uses?

Many thanks in advance

 
Posted : 21/05/2010 2:14 pm
Webbie
(@webbie)
Posts: 29
Eminent Member
 

Steve

We have done a similar process in South Wales Police HTCU.
If you ring me I'll discuss it with you. We have both Policies and Procedures for Triage.

Without being controversial on an open forum, the answer does not lay in the tools. Our force was a contributor to a workstream testing 'tools'. They are not all what they are cracked up to be.

 
Posted : 21/05/2010 2:39 pm
(@cyberspeak)
Posts: 1
New Member
 

Steve,

Triage is absolutely one of the things that all forensic agencies are having to do, some better than others. With respect to your question of "Is there a procedure or policy for a previewing stage that any LE agency uses?" Triage must be viewed as an initial assessment. The slippery slope is that judges may try to say that if nothing is found during the triage phase, then no further work can be done on that system. Some people, who must be trying to be a lawyer, have said that you negate or diminish your probable cause if you triage and dont find anything. this is simply not true. If you would like to see what I think is one of the best executed triage programs look like, check out drive prophet (driveprophet.com). What makes this so good is that there are 3-4 things that make a successful triage tool. 1-speed, 2-user friendly interface, 3-targetingthe correct data points and 4- and this one is the one that everyone fails at - presenting an easily digestible output that non-technical people can quickly understand. Most tools provide too much technical details because they can not really think like a non-techie.

What info do you need to make a quick assessment of what was going on with a computer. Well, it really depends on the type of case/investigation it is but in general you would probably want the following.

A unique list of top level domains visited on the internet via the web browser(s). Identifying number of times visited is also nice so assess what sites were visited the most.

Internet search history. What words have been searched for via the most popular search engines e.g. Google, Bing, Yahoo, etc. and what date/time and user did the search.

What files were recently opened by the user (found through both lnk files in the recent directory and from the recentdocs registry key.

what applications have been recently executed by the user (cwindows/prefetch and UserAssist registry key)

USB Storage devices plugged into the system (UsbStor registry key)

Then you may also want to look at the graphics on the system or if Vista or Windows7 take a look at the thumbscache32, 96, 256, and 1024.

There is a lot more you can look at but this is one of the best starts you could build from.

If you can download a demo of driveprophet and run it against a write blocked drive or a mounted image you will see a lot more information but all presented in a very "agent friendly" hyperlinked report.

Good luck.

 
Posted : 22/05/2010 5:53 am
bshavers
(@bshavers)
Posts: 210
Estimable Member
 

There are two previous discussions of triage and previewing on FF that you may also get some information on.

The topics are
triage tools
Previewing or Imaging

I'd say that since this topic keeps coming up and commercial tools are being sold for triage/previewing, it must be a very relevant topic. Triage can be done with a single purchased tool such as the one mentioned in this thread (Driveprophet), or created with tools you already have on hand.

 
Posted : 22/05/2010 9:37 am
keydet89
(@keydet89)
Posts: 3568
Famed Member
 

What makes this an arduous task? Volume, or not knowing/understanding what you're looking for?

 
Posted : 22/05/2010 5:12 pm
(@cfunn)
Posts: 20
Eminent Member
 

Hi Steve, Just a thought but if you would like a demo of SPEKTOR let me know- we are based in Milton Keynes so wouldn't take long for us to come to you or you to come to our secure facility

David

 
Posted : 22/05/2010 6:49 pm
(@seanmcl)
Posts: 700
Honorable Member
 

It seems to me that aside from the initial verification processes OS, file system(s), account(s), times, etc., the triage processes is dictated by whatever it is you suspect the owner of doing. If I'm looking for evidence of patent infringement I'm going to be following a different process than I would if I were looking for illicit images.

Also, it occurs to me that triage may be a misused term since the purpose of triage is to prioritize tasks not eliminate them.

 
Posted : 22/05/2010 8:37 pm
(@steves)
Posts: 12
Active Member
Topic starter
 

Thanks all for your responses. I was thinking along the lines of, say, four computers submitted for one suspect, at the triage/preview stage it is discovered that only one of the computers belong to the suspect, and the rest belong to family members. It is my understanding that if evidence is seen at triage stage on just his computer, then a full examination would be carried out on only that computer and the others will be 'filtered' out, as there will be enough to charge. It is a direction we are looking at because the sheer volume of items we get submitted is often overwhelming, and increasin staffing levels is not an option. There are currently 4 of us in the HTCU, covering England, Scotland and Wales so we need a way to 'filter' out what is submitted. throwing money at a new tools is not possible at this moment in time, so a procedure using current tools needs to be written. Many thanks to Webbie, you were a great help

 
Posted : 23/05/2010 6:54 pm
rjpear
(@rjpear)
Posts: 97
Trusted Member
 

We now use TRIAGE on most of our Warrants… mostly to get in, Identify what the target machine is, and get out with minimal seizure of property needed. This is done for our convenience and not the subjects (who wants to cart and maintain all of that property?). Of course all the buzz is based on trying to eliminate LE backlogs..which in many cases are caused by administrative rules created 10 years ago by Non Computer Forensic folks.
An experienced Forensic investigator, involved from step 1 at the warrant site, should have a decent idea what they need to locate and need to take. Many times I have been the recipient of a box of computer parts in the basement taken by folks who took it because it was a computer.. and if policy states it's gotta be analyzed then you have a backlog.
I am kinda old school in the way that I like a Full Forensic Image of the target drive or data, but I also know that this isn't practical anymore due to quantity and size of the drives. So a good PREVIEW of the drive, targeting what you are looking for, eliminating anything that doesn't need worked, and imaging the drives with evidence, seems to be the best solution for us at the moment.
I am just afraid that LE is getting pushed by Administration, Prosecutors, etc. into not doing REAL FORENSICS and just getting enough to get by.
…What was this thread about again?

 
Posted : 23/05/2010 7:13 pm
Page 1 / 2
Share: